Generic Identity And Access Management
SunbirdRC was tightly coupled with keycloak for authentication & authorization of users. Currently, SunbirdRC is updated to support any identity layer (oauth2 compliant) for IAM
Generic IAM is part of release-1.0.0
SunbirdRC requires an IAM platform for mainly two purposes.
- 1.authN & authZ of users to enable trust between the user and the entity.
- 2.to manage user accounts for the entities created
- Configure the below environment variables for the registry core service
oauth2_resource_urishould be configured with the domain url of the IAM service
Fusionauth: `http://domain/` (The value of the issuer configured in the tenant page)
oauth2_resource_email_pathshould be configured with the path to be used for fetching email id from the token
oauth2_resource_consent_path(OPTIONAL) should be configured with the path to be used for fetching consent fields from the token
oauth2_resource_roles_pathshould be configured with the path to be used for fetching roles from the token
oauth2_resource_entity_path(OPTIONAL) should be configured with the path to be used for fetching entities from the token
Currently, one needs to write a custom implementation to support creating users in the respective IAM platforms. SunbirdRC provided two ways to configure it:
Currently, SunbirdRC is shipped with two submodules (Keycloak & auth0) to integrate with IAM platform. https://github.com/Sunbird-RC/sunbird-rc-core/tree/main/java/middleware/registry-middleware. If you need support for any other platform then you would need to create a module in a similar fashion. You need to configure the below env with respective values
identity_provider: dev.sunbirdrc.auth.keycloak.KeycloakProviderImpl (Replace the value with your package name)
sunbird_sso_url: http://localhost:8080/auth/ (IAM url)
The module needs to be added to the core registry and you need to build a custom docker image and use it in your application.
Steps to create a submodule in SunbirdRC:
- Implement this provider https://github.com/Sunbird-RC/sunbird-rc-core/blob/generic-auth/java/middleware/registry-middleware/identity-provider/src/main/java/dev/sunbirdrc/registry/identity_providers/providers/IdentityProvider.java, which returns the IdentityManager which handles user creation functionality. (Example https://github.com/Sunbird-RC/sunbird-rc-core/blob/generic-auth/java/middleware/registry-middleware/keycloak/src/main/java/dev/sunbirdrc/auth/keycloak/KeycloakProviderImpl.java)
- The IdentityManager should implement the https://github.com/Sunbird-RC/sunbird-rc-core/blob/generic-auth/java/middleware/registry-middleware/identity-provider/src/main/java/dev/sunbirdrc/registry/identity_providers/pojos/IdentityManager.java, which handles user creation and returns the user id. (Example: https://github.com/Sunbird-RC/sunbird-rc-core/blob/generic-auth/java/middleware/registry-middleware/keycloak/src/main/java/dev/sunbirdrc/auth/keycloak/KeycloakAdminUtil.java)
- A Service Provider is configured and identified through a provider configuration file which we put in the resource directory META-INF/services. The file name is the fully-qualified name of the SPI and its content is the fully-qualified name of the SPI implementation. (Example: https://github.com/Sunbird-RC/sunbird-rc-core/blob/generic-auth/java/middleware/registry-middleware/keycloak/src/main/resources/META-INF/services/dev.sunbirdrc.registry.identity_providers.providers.IdentityProvider)
identity_providerenv with the provider package name
Instead of creating a module in the core service, you can create an external/custom service which exposes an API to create users in your IAM platform.
You need to configure the below env with respective values
sunbird_sso_url: http://localhost:8080/auth/ (Replace the value with your service endpoint)